Systems wide open because agencies fail to fix common security holes

Most organizations fail to patch known security holes in computer applications or effectively scan their Web sites for common flaws, allowing hackers to enter networks and access data, according to a report released by security vendors on Tuesday.

More than half of all cyberattacks target vulnerabilities in a company's or government agency's applications and Web sites, according to a report released by network security vendors TippingPoint and Qualys. The report compiled data collected between March and August 2009 from customers running intrusion prevention solutions from TippingPoint and network monitoring software from Qualys.

"Two cyber risks dwarf all others and users are not effectively mitigating them, preferring to invest in mitigating less critical risks," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., which reviewed the report's data.

The number of holes discovered in applications is greater than the number of vulnerabilities discovered in operating systems, according to the report. Weaknesses in common applications such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office as well as the most popular Web browsers are typically exploited using spear-phishing attacks, which spread malicious code by tricking users into opening infected Web pages, documents, and music and video files attached to an e-mail.

On average, organizations take at least twice as long to patch vulnerabilities in applications, which rely on the network to access remote services from a server, than to fix the holes in operating systems, according to the report. But operating systems have fewer vulnerabilities that can be exploited remotely. Other than the Conficker worm, which in March rapidly installed malicious software on millions of computers running the Microsoft operating system, no widespread worms for operating systems were detected during the reporting period.

Security vendors, who are responsible for issuing patches, also fall short, the report concluded. Zero-day exploits, attacks that take advantage of a flaw in an application's software code before a fix or patch is available are among the most serious threats to networks, but some flaws reported to vendors two years ago have yet to be patched, according to the report.

Web site operators also do not effectively scan for common flaws in software code that can be exploited. More than 60 percent of all cyberattack attempts target vulnerabilities in Web applications, according to the report. The goal of the attacks is to take over trusted sites so they serve up infected content that allows hackers into the visitors' networks.

"Enterprises are prioritizing what is unimportant and delaying fixing the main attack targets," Paller said.

He said he hopes the report will encourage network security managers to shift money to fix the more dire threats, "because [they] are very hard to ignore. Not acting would be obvious negligence."